Quantum cryptography, based on Heisenberg's uncertainty principle, is supposedly a bulled-proof solution against eaves-dropping. However, as it is the case with mathematical encryption solutions, it is not the math or quantum physics, it is the implementation that causes issues.
"Computer scientists have pulled off what is claimed to be the first successful attack against a commercial system based on theoretically uncrackable quantum cryptography."
In a world without communication errors, this is supposed to work but guess what, we are not in a perfect world :)
Add a comment"In practice, however, it is not possible to completely eliminate errors in electronic communications because of factors such as noise and signal degradation. So practical systems accept key exchanges where the error rate is less than 20 per cent."
Back again... by Selim (22/03/2010)
It's been a while since my last entry. I can come up with many excuses for my laziness such as on going projects, developing our framework for the services we provide, carrying this blog application on top of that framework, creating support application for our clients, updating and upgrading alert service, etc. In any case, we are back again and hope you enjoy this blog with up and coming content...
Add a commentIIS 5/6 exploit by Selim (02/09/2009)
Recent exploit published for IIS 5.0/6.0 shows that even when you think you fixed/patched all the bugs, there's a huge one (ie. remote root exploit) hiding in there for a while.
--> "The vulnerability appears to be triggered only in limited circumstances, specifically when IIS is set to enable the file transfer protocol and there is a writable folder. While that suggests the majority of IIS installations aren't vulnerable, the universe of affected systems is still big enough to give the security conscious pause."
Perhaps it's time to upgrade and lockdown :)
Add a commentTehditler heryerde by Selim (25/08/2009)
Son zamanlarda çıkan haberler hacker olmanın kolaylığından, bankaları hedef alan kötü niyetli yazılımlardan, ve her geçen gün ne kadar çok gerçekleşen saldırının olduğundan bahsediyor. Bilgi güvenliği konusunda iyiye giden birşey yok mu peki? Ülkemizde özellikle atakların etkili olduğu web yazılımlarını göz önünde bulundurursak, biraz geriden de olsa yazılım güvenliği konusundaki gelişmeleri takip etmeye çalışıyoruz. Eğitim ve bilinçlendirme bence en önemli konular. Gerçekleşen atakların çoğu "bana bişey olmaz" kültürü ile hareket etmemizden kaynaklanıyor ve gerek kurumsal gerek bireysel seviyede yeterince önlem almadığımızı düşünüyorum...
Add a commentCheap(er) way to steal electronic data by Selim (13/07/2009)
Using power outlets and cheap lasers? They are probably cheaper in the states, but regardless, they claim that with $600 worth of equipment and a laptop with sound adapter, this can be achieved. Here's the article
"The only thing you need for successful attacks are either the electrical grid or a distant line of sight, no expensive piece of equipment is required"
This is nothing new of wire-tapping actually:
"In the power-line exploit, the attacker grabs the keyboard signals that are generated by hitting keys. Because the data wire within the keyboard cable is unshielded, the signals leak into the ground wire in the cable, and from there into the ground wire of the electrical system feeding the computer. Bit streams generated by the keyboards that indicate what keys have been struck create voltage fluctuations in the grounds, they say. "
There may be some differences in keyboards and how they signal with variations in frequency but researches say that it is even possible to focus on 1 keyboard from a distance of 15 meters. Pretty interesting stuff. What if I had some real $$$ to invest in such technology instead of just $600 mentioned here (ie. government)?
Add a commentNo more password masking? by Selim (26/06/2009)
Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures.
I'd think that most people would "feel secure" when the passwords are masked, even though nobody is looking over their shoulder and it wouldn't make the system any less or more secure. I would agree with the argument, it may be more beneficial to simply show the password as the user types; however, it may also make you lose business as people will think that the site is not secure :)
Add a commentIran election and Internet traffic by Selim (26/06/2009)
Interesting data on Internet activity right after the election.
Add a commentKüreselleşme ve teknoloji by Selim (26/06/2009)
Ulaşım kolaylığı ve ticaret yollarının genişlemesi küreselleşme adına büyük rol oynuyor olabilir ama bence hiç tartışmasız Internet ve beraberinde getirdiği sosyal ağlar açık arayla küreselleşmeyi oluşturan etkendir. Intenet ile küreselleşme sosyo-ekonomik ve kültürel farklılıkları ortadan kaldırarak, bilginin ve haberlerin herkese en hızlı şekilde ulaşmasını sağlayan bir platform haline gelmiştir ve bu platformu destekleyen uygulamalar (Facebook, Twitter, vs.) her geçen gün daha da popüler oluyor. Internet ortamının bize sağladığı özgürlüğü kısıtlamaya çalışanlar her zaman başarısız olacaktır çünkü bu temelde Internet ve network teknolojilerinin özüne aykırıdır. En yakın zamandaki örnek İran'ın baskı rejimi ve ortaya koyduğu (veya uygulamaya çalıştığı) kısıtlamalardır. Karşıt grupların savaşı artık Internet üzerinden gerçekleşiyor. Her ne kadar filtreleme/kısıtlama için önlemler alınsa dahi, averaj bilgisi ve becerisi olan herkes bunları aşabilir ve aşıyor da. İşe yarayacak bir kısıtlama için tüm iletişim bağlantılarının (telefon, Internet, GSM, vs.) kesilmesi gerekir (kapalı sistem en güvenli sistemdir, ve tabi en işe yaramaynıdır da). Bilgi paylaşım platformlarının kolaylığı, kullanıcıların sayılarının artması, ve fiziksel lokasyonun öneminin azalması (laptop, mobil cihazlar ile Internet, 3G, vs) son kullanıcılar olarak bizim her türlü bilgiye hızlı bir şekilde ulaşmamızı sağlıyor ve kısıtlamaların uygulanmasını daha da zor hale getiriyor. Internet ile küreselleşme ve bilgi paylaşımında şeffaflık artık hayatımızın bir parçasıdır diye düşünüyorum.
Add a commentTeleskop ile kredi kartı hırsızlığı by Selim (08/05/2009)
Dışarıda kredi kartı kullanırken dikkatli olmak gerekiyor. Belki de numaralar kartın üzerinde yazmamalı :) Hürriyet'in haberi:
"ATMΓÇÖlere 50 ila 100 metre mesafesinde bir aracın içine yerleştirdikleri teleskopla, işlem yapan kişilerin kart numaraları, güvenlik numarası ve şifrelerinı alarak hesapları boşaltan çetenin lideriyle 17 adamı yakalandı."Add a comment
Taking exams with laptops by Selim (04/05/2009)
"About 6,000 students in Norway are doing exams on their laptops in a trial that could soon be rolled out across the country."
With the current state and progress of technology and use of Internet, it seems inevitable to avoid using laptops, PDAs, etc. for daily tasks. Electronic exams have been around for a while but allowing kids to play around with the laptops outside exam hours may have its disadvantages. A curious teenager with a lot of free time may try to perform escalation attacks due to bugs in regular applications or the OS (probably M$oft):
"The laptops issued to the students are used for everyday schoolwork and come with standard software, such as word processors, spreadsheets and calculators installed, as well as subject specific applications for particular courses."
The access control program supposedly prevents students from cheating during the exam or communicating to any others with the help of monitoring feature:
"The program works as a keylogger and takes screenshots and we can very easily get a graphic of what the students have used or have done."
What happens when someone escalates privileges due to a bug in a well-known application (e.g. MS Word, Adobe Photoshop) during non-exam hours and manipulates the access control program that monitors the students? Are they able to boot up a different OS via live CD? Can they partition the drive to install a second OS (e.g. Linux) and play around with registry settings or other data in the original installation? Can they change the harddisk prior to the exam, install a different OS running virtual environment (VMWare, virtualbox, etc.) and run school provided OS on a virtual machine while being able to communicate with peers though the host (it's just as easy as few clicks to convert a physical box to virtual nowadays)? I just think that it is a matter of time when these laptops will be hacked or students will find a way to cheat the system without really exploiting a software bug, if they really want (it would also depend on the culture and their etchical values of course).
Add a commentYasal yaptırımların önemi by Selim (13/04/2009)
Bilgi güvenliğinin önemini toplumsal seviyede anlamamız için bu tür haberlere daha çok ihtiyaç olduğunu düşünüyorum.
"Muğla'nın Bodrum İlçesi'nde avukatlık yapan Cihan Çiçek, şifresini ele geçiren bilgisayar korsanlarının (hacker) iki yıl önce bir bankanın internet şubesinden 50 bin TL parasını çekmesi üzerine başlattığı hukuk mücadelesini kazandı."
Dünyada olduğu gibi Türkiye'de de güvenlik konusu yasal yaptırımların uygulanması ve cezalandırmalar ile gündeme gelecek ve önem kazanacaktır.
Add a commentStats on real danger surrounding us by Selim (09/04/2009)
Great stats. There's definitely a difference between being secure and feeling secure. As humans, our emotions play a major role in decision making and deciding what to fear and what not to fear. Based on the stats from this article, here's the rundown on top 10:
1. cigarettes
2. poor diet and sedentary lifestyle
3. drinking
4. medical errors e.g. botched procedures, mis-prescribed drugs
5. a co-worker with an infection
6. Toxic Agents e.g. asbestos in our ceiling, lead in our pipes, etc.
7. car crashes (more than half die due to not wearing seat belts)
8. commit suicide by intention
9. STDs
10. being murdered (often by a relative or close friend)
The list is followed by drug overdose, occupational trauma, drowning etc. Based on this data, should we fear more from ourselves and decisions we make than terrorists and natural disasters (global warming, earthquakes, storms, etc.)?
Add a commentConficker worm by Selim (26/03/2009)
Conficker worm is scary or maybe not. We don't know its capabilities yet, but it's supposed to be activated on April 1st (or not, as a joke :) ). NY Times has an article and blog on it and you can also find many write-ups out there on this topic. Regardless, it simply provides a good perspective on what we are to expect on the days to come in terms of information security in cyberspace. It is just not safe out there anymore. Even though the majority of people mean well and do not intend to cause any harm, it's the little group of malware authors, script kiddies, organized crime groups, etc. that's creating this mayhem. Similar to what you'd do in real world when walking through a not-so-safe neighborhood, we have to protect ourselves in cyberspace with keeping our systems up-to-date, using anti-virus, anti-spam, and similar security technologies (carrying a pepper spray) and relying on ISPs to provide a secure infrastructure and identify malicious content (government, local police, etc.).
Add a commentİstanbulkart ve güvenlik by Selim (13/03/2009)
Önce bu haberi gördüm ve sonra İETT sayfasından buraya baktım. Teknoloji gerçekten hayatımıza büyük kolaylıklar getiriyor ama neyin pahasına olduğunu araştırmak gerekir. İstanbulkart gerçekten bir sürü özelliği içinde barındırabilecek bir kart gibi gözüküyor. Bazı bahsedilen ve olacağı söylenen özellikler:
... - Doğalgaz, su faturaları ödenebilecek, Halk Ekmek büfelerinden alışveriş yapılabilecek, - Vatandaş isterse kartı e-bilete ek olarak e-cüzdan olarak kullanabilecek - İsteyen vatandaş, sağlık kart olarak kullanarak, hastalık, ilaç gibi durumlarını yükletebilecek, - İstanbul kart, teknolojik gelişmeye paralel olarak gelişecek her türlü yeni sisteme (Vatandaş kart) adapte edilebilecek, ...
Daha inceleme fırsatı bulamadım ama maliyeti (6TL depozit), boyutu, ve kullanımı göz önünde bulundurulursa pasif RFID olarak çalışan bir kart sanırım. Toplam 128byte gibi veri tutabilecek. Verilerin bütünlüğü, kişisel bilgilerin gizliliği, ve kimlik denetimi konuları benim kafamda ilk soru işareti oluşturan noktalar. Ürünün ve sistemin bir bütün olarak güvenlik konusunda bir denetimden geçip geçmediğini merak ediyorum. Zamanla, kullanımı arttıkça neler oluyor göreceğiz...
Add a commentList of top 20 security controls - Consensus Audit Guidelines by Selim (24/02/2009)
Add a comment
Attacking SSL and improved MITM attack by Selim (24/02/2009)
Man-in-the-middle attacks have been around for a long time. It's usually possible to trick a less-knowledgeable user to accept the browser warnings, leading to a successful SSL mitm attack and sniffing the traffic. Now this is possible even without any warning being displayed to the end-user. Here's the presentation from BlackHat conference. This attack won't work when you type "https" link into the address bar, but it is aimed at the fact that most SSL pages are accessed via either clicking a link or via redirection (302 response).
Add a commentSQL injection attacks on security vendor by Selim (17/02/2009)
A security company can make mistakes too, and perhaps faces a successful attack
"Although the attackers were able to read information from the database they couldn't write or manipulate it. And they couldn't access any other data on that server because the SQL user only had access to its own database, which only contains public information that is shown on our statistics pages. So while the attack is something we must learn from and points at things we need to improve, it's not the end of the world."
The important lesson here is using defense-in-depth and general security principals so that even if an unexpected (I don't know if there's any other kind) attack occurs on the system, the impact is minimal.
Add a commentÇalınan kimlik bilgileri by Selim (12/02/2009)
687 Bin kişinin (öğretmenin) kimlik bilgileri çalınmış
"İl ve İlçe Milli Eğitim Müdürlükleri Yönetim Bilgi Sistemi'ndeki (İLSİS) tüm verilerin; ünlü paylaşım sitesi Rapidshare'de paylaşıma açıldığı ortaya çıktı"
Türkiye'de kimlik bilgilerinin erişilebilir olmasıyla ilgili daha önce de yazmıştım. Internet üzerinden, kimin nereden geldiği belli olmadan (anonymous) ve yetki seviyesi gözetmeksizin insanlara TC Kimlik numarası sorgulatmaya izin veriliyor. Ayrıca her tür kuruluşun bu tür bilgileri sormasına da izin veriliyor. Evinize paket getiren kurye bile kimliğinizi alıp bu numaraları ve detayları bir kağıt parçasına yazabiliyor. Böyle bir ortamda herhangi birinin kimlik bilgilerine erişmek pek zor olmasa gerek. Hürriyet'in bu haberinde anladığım kadarıyla sitedeki mevcut bir SQL injection açığından dolayı 687 bin gibi kişinin bilgilerine kısa sürede ulaşmak ve indirmek daha kolay olmuş. Teknik detaylar hakkında yazılabilecekler çok ancak web uygulaması güvenliği ya da güvensizliği konusunu bu blogda ele almayacağım (bu konuda da daha önce yazmıştım). Yasal olarak devletimizin yaptırımlar ile kurumlara uygulanabilir kılacağı şekilde TC Kimlik numarasının korunması gerekiyor diye düşünüyorum. TC Kimlik numarası bireylerin kimliğine özgü bir unsur ise, bu bilginin gizliliği ve bütünlüğünün sağlanması bilginin kendisi kadar önemlidir. Bunun sorumluluğu bu bilgileri barındıran ve kullanan kurumlarda olmalı (ör: bankalar, işverenler, devlet daireleri, vb.) ve bilgileri koruyamayan kurumlara ciddi cezai yaptırımlar uygulanmalı. Ancak balık baştan kokar, bu bilgilerin öncelikle devlete bağlı birimler tarafından korunması gerekirki özel sektöre de yaptırımlar uygulanabilsin. Günümüzde hepimizin tüm kimlik bilgilerinin rahatça ulaşılabilir olduğunu düşünüyorum ve bunların gizli tutulduğunu düşünmemiz yanlış olur. Bilgi teknolojileri ve hatta bilgi güvenliği konusunda bir bakanlığın oluşturulması gerektiğini de savunuyorum. Türkiye olarak güvenlik konusunda ilerlememiz için insiyatifi eline alacak birilerinin olması gerekir.
Add a commentfake parking tickets by Selim (11/02/2009)
This is very interesting. "... hackers have hit on a new way to infect innocent computers: fake parking tickets that direct car owners to a site where they are instructed to download malicious software." This must certainly be much cheaper than distributing CDs or USB drives that installs such malware via autorun; and probably more effective too since people tend to accept directions that come from an authority figure (in this case DMV) and would try to bypass any security warnings.
Add a commenthacking road signs by Selim (10/02/2009)
Here's a good example of why security should be considered for all devices and procedures, not just for corporate information security and assets.
Add a commentVatandaşlık numarasıyla yüzlerce bilgi by Selim (21/01/2009)
Bunu zaten TC Kimlik no sorgulaması/doğrulaması yapabildiğimiz sürece gerçekleştirebiliyorduk. Hele hele günümüzde mevcut sosyal ağlar (facebook, linkedin, myspace, vs.) kişisel bilgilere ulaşılmasında büyük kolaylık sağlıyor. Hedef alınan bir insanın doğum tarihi, anne-bab adı, TC kimlik numarası, ve benzeri bilgilerini Internetten kısa bir süre içinde bulmak mümkün. Devletin gizli tutulabilecek bilgileri (ör: TC Kimlik no) belirlememesinin yanında diğer bir problem de yetki sahibi ve bu bilgileri işleyen kuruluşların yeterince güvenli prosedürlerinin olmaması diye düşünüyorum.
Add a commentCWE/SANS comes up with Top 25 Most Dangerous Programming Errors by Selim (15/01/2009)
CWE Top 25 is similar to OWASP Top 10 and it is a good starting point on security awareness. However, when security companies and competition start using it as a selling point with phrases such as "We address all OWAPS Top 10 and CWE Top 25 vulnerabilities in our assessments" I think it gets to the point of creating false sense of security with assessments. Lets say the security company X did a pentest and went through all CWE Top 25 vulnerabilities, then the customer will feel safe and sound until an attacker tries the 26th one :) I think these lists are great for educating the masses and creating awareness but at the same time with business competition in these tough times, it degrades what 'real' pentesters do. We don't only try to find top 10 or top 25 vulnerabilities, there are 100s more that you can add to the list. At the same time, if you don't put such verbage in proposals it makes you sound like you don't really care much about the top 10 or top 25 lists. The goal of pentest is not and should not be just addressing the top vulnerabilities but to find as much as possible (which by default includes the top vulnerabilities) with the provided resources.
Add a commentAnother disgruntled employee story by Selim (09/01/2009)
Here is the story. Well, this guy wasn't very talented though. I'm surprised that after all those stories and incidents out there, ex-employees still try the lamest methods on harming companies and then they get caught.
Add a commentWelcome 2009 by Selim (08/01/2009)
... and the hacks first hacks of the year
Add a commentRogue CA certificates - taking advantage of MD5 collision attack by Selim (31/12/2008)
This is pretty big news. Specially when considering the fact that MD5 collision attack has been out there for a while and there still are certificate authorities (i.e. RapidSSL, FreeSSL, TrustCenter, RSA Data Security, Thawte, verisign.co.jp) that are using MD5. You can see the demo here: https://i.broke.the.internet.and.all.i.got.was.this.t-shirt.phreedom.org/ -- the site has an expired cert on purpose. So what does this mean? Well, man-in-the-middle attacks on SSL sites are now possible without seeing any warnings from the browser, cause the browser will trust the certificate since it's signed by a so-called trusted CA (by checking the MD5 hash). You'll find a decent picture here.
Add a commentTop 10 Security Stories of 2008 by Selim (31/12/2008)
We can't end this year without a top 10 list. Here it is.
Add a comment0-day exploits by Selim (11/12/2008)
We have a 0-day exploit from Microsoft on XML parsing from IE. It's brand new and yet attackers have a POC ready(for Vista and for XP) and taking advantage of it in the wild.
Add a commentHave we lost the war? by Selim (10/12/2008)
We always talk about cat and mouse game when it comes to information security and keeping up with cyber-criminals. It seems like the mice have become stronger and faster though, and becoming more difficult to catch up with:
"One new infected webpage was discovered by anti-virus firm Sophos every 4.5 seconds, three times the rate it recorded last year. " (source)
Insecure web sites are widespread but we also have organized and easily accessible cyber-crime to be concerned about. This article mentions the reality of how easy it is to obtain stolen data on identities.
"Identity thieves who claim they stole details of 21 million German bank accounts are offering to sell the data on the black market for Γé¼12 million (US$15.3 million), a German magazine reported over the weekend.
To prove they weren't bluffing, the crooks produced the compact disc containing the names, addresses, phone numbers, birthdays account numbers, and bank routing numbers of 1.2 million accounts... "
So how do they do this? Well, for the case above, it is believed that call-center employees may be involved. This means there are issues in business processes and monitoring. In addition to these somewhat 'inside' jobs, it is relatively easy to fool an average user into downloading/installing malware, which often leads to identity theft.
"In general observations, the Finjan report says that organized crime continues to expand its Internet business, using what Finjan calls a criminal-to-criminal model (C2C) using Trojans, silent installations and drive-by downloads. Those $100-$200 off-the-shelf toolkits help make cybercrime more accessible and pervasive. Finjan observed trend of unemployed IT workers purchasing these toolkits, and expects this trend to grow as the weak global economy persists in 2009." (source)
Another survey reveals that end users and security awareness/training is the major concern and problem point (as one may have guessed already):
"A survey by Trend Micro revealed that only five per cent of malware infections resulted from the exploit of a software vulnerability. An analysis of the top 100 items of malware revealed that 53 per cent worked by duping users into downloading a malicious file, while 12 per cent operated through infected email attachments, ComputerWorld reports." (source)
Have we lost the war? Not yet, I don't think it is an option anyway -- given the heavy use of Internet and technology. Globally, we'll need better standards, laws and regulations to enforce businesses in order to implement better security measures through out their processes, technological infrastructures, and employees. Information security is a business problem and it can only be solved by enforcing the business to take the necessary steps; which should combine aspects of people, technology, and processes. My guess is that we probably won't be able to catch the bad guys and what they improve upon on a day-to-day basis but adjusting our shields and protection accordingly should be sufficient to continue doing business.
Add a commentSecure Lego by Selim (24/11/2008)
Think again next time you buy lego for your kids, maybe you can make some use of it such as this one
Add a commentDOS and DDOS tools and toolkits - it's illegal to make one now by Selim (24/11/2008)
Here "... The Computer Misuse Act has also been changed to make it an offence to make, adapt, supply or offer to supply any article which is "likely to be used to commit, or to assist in the commission of, [a hacking or unauthorised modification or DoS] offence". It is also an offence to supply an article "believing that it is likely" to be used to commit such an offence. ..."
Add a commentPre-crime detection by Selim (09/10/2008)
Check out this article. "US Department of Homeland Security is developing a system designed to detect "hostile thoughts" in people walking through border posts, airports and public places. The DHS says recent tests prove it works. ... At an equestrian centre in Maryland, 140 paid volunteers walked through a pair of trailers kitted out with a battery of FAST sensors, including cameras, infrared heat sensors and an eyesafe laser radar, called a Bio-Lidar, that measures pulse and breathing rate from a distance. Some subjects were told to act shifty, be evasive, deceptive and hostile. And many were detected. "We're still very early on in this research, but it is looking very promising," says DHS science spokesman John Verrico. "We are running at about 78% accuracy on mal-intent detection, and 80% on deception." It seems like this will turn into today's lie detectors and will be bypassed when the time comes. However, a nice step towards having a world similar to the movie 'Minority Report' :)
Add a commentFacebook security feature to fight spam by Selim (16/09/2008)
A security feature in facebook is available to fight against spam. I don't know how effective it will be given the history of not-so-secure facebook environment that we've experienced in recent past.
Add a commentQuantum Key Encryption with Lasers through space by Selim (28/08/2008)
Quantum, lasers, space, encryption ... Sounds like a Bond movie but it is reality. Check this article, which gives a brief description of what quantum cryptography is and the hype/hope about it. One of the major challenges of quantum cryptography is the distance between end points. Current solutions are capable of sending encrypted traffic no more than 100miles. However, through space, the distance problem seems to be going away: ".. To reach the satellite, the photons only had to travel through 5 miles of atmosphere during their 1000-mile journey, allowing the sequence to arrive in order. " Of course, now we have to setup sattelites to utilize quantum cryptography for secure communication.
Add a commentAnahtarsız kapılar by Selim (27/08/2008)
Gazetede çıkan bu yazı ile yeni teknolojinin bize sağladıkları belirtilmiş. "... XD elektronik kilit ürünü ile ev ve iş yerlerinde "tam güvenlik" sağladığı, sistemin şifre kutusunda 9 kişiye kadar tanımlanabilen giriş kodu tuşlanarak veya akbil şeklindeki ID anahtarı ile kullanılabildiği kaydedildi." Bu yeni sistem sadece şifreyi bilenlerin veya tahmin edebilenlerin girebileceğini mi söylüyor? Ayrıca 'default' olan şifreler ne acaba merak ediyorum (1 kişinin tanımlanması diğer 8'ini de aktive ediyorsa). Bu yöntemin anahtar taşımaktan daha güvenli olduğuna pek inanmıyorum. Hem anahtar hem de şifre olursa tamam, ancak sadece şifre ile kapıyı açmak hırsızın/saldırganın işini daha da kolaylaştırıyor. Hel hele zayıf şifre seçimlerini (doğum tarihi, telefon numarasının ilk veya son rakamları, 1234, 9999, vs.) göz önünde bulundurursak bunun kısa zamanda kanıtlanacağına inanıyorum. Kimlik doğrulamada geçerli olduğu gibi en az 2 etkenli bir çözüm (şifre + anahtar) daha etkili olacaktır diye düşünüyorum. Bu teknolojinin piyasada kabulu ve çıkacak hadiseleri takip edip ona göre karar vermekte yarar var bence :)
Add a commentBGP Hack - Potentially The Biggest Security Hole by Selim (27/08/2008)
Here's the article from Wired. "Two security researchers have demonstrated a new technique to stealthily intercept internet traffic on a scale previously presumed to be unavailable to anyone outside of intelligence agencies like the National Security Agency. The tactic exploits the internet routing protocol BGP (Border Gateway Protocol) to let an attacker surreptitiously monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination." There are possible solutions to overcome this threat: "Kapela said eavesdropping could be thwarted if ISPs aggressively filtered to allow only authorized peers to draw traffic from their routers, and only for specific IP prefixes. But filtering is labor intensive, and if just one ISP declines to participate, it "breaks it for the rest of us," he said." and use of authentication is another suggested solution: "... Kent and BBN colleagues developed Secure BGP (SBGP), which would require BGP routers to digitally sign with a private key any prefix advertisement they propagated. An ISP would give peer routers certificates authorizing them to route its traffic; each peer on a route would sign a route advertisement and forward it to the next authorized hop."
Add a commentMalware as Security Software by Selim (25/08/2008)
I personally liked this article that shows the anatomy of malware and how malware authors are finding new ways to deceive end-users. This article shows a very good example, step-by-step screenshots on how it is achieved as a AV program. It also points to this forum that has a list of fake security software.
Add a commentAnomaly detection for fraud by Selim (21/08/2008)
It is just natural to bring anomaly detection and some kind of intelligence to every aspect in life specially within security zone. This article shows the new product by a small company for fraud detection. Watching and learning about users' behaviors and alerting accordingly when something strange happens (e.g. transfer funds at 2am on Friday).
Add a commentSpam is here to stay by Selim (21/08/2008)
It's simply supply and demand for the spam market where 29% of spam messages lead to actual purchases. "London, 19 August, 2008 ΓÇô 29 percent of internet users have purchased goods from spam emails, according to new research by Internet security company Marshal. The most commonly purchased items include sexual enhancement pills, software, adult material and luxury items such as watches, jewellery and clothing. "
Add a commentOpen-source and security by Selim (21/08/2008)
As mentioned in this article, most corporations try to avoid open-source software based on some common myths:
Myth 1 - Providing access to the source code makes open source vulnerable
Myth 2 - Open source is unregulated so anyone can compromise the code
Myth 3 - Open source does not follow best practices for reporting and addressing security vulnerabilities
Myth 4 - Open source does not provide the security features demanded by the enterprise
Myth 5 - The use of open source requires that IT define a separate set of security policies and procedures which increases cost and complexity
It's human nature; we fear what we don't know and for some reason it makes us more comfortable when we pay $$$ for it. There are tons of open-source software out there which also have helped to create a new line of business (companies providing professional support for open-source). There are questions about SDLC and integrity of open-source software development; however, I'd ask the same questions for other "closed" software vendors as well. Security through obscurity doesn't work in the long run and I think when desired functionality is equal, having a source code to analyze and customize wins the battle.
Add a commentAre we ready to say goodbye to passwords? by Selim (14/08/2008)
Everybody talks about security implications of using password based authentication systems. We've definitely come across dozens of articles on choosing secure passwords. The latest one of these (here) was published in NY Times. "THE best password is a long, nonsensical string of letters and numbers and punctuation marks, a combination never put together before." Then of course, the article mentions the reality: "Then there's the rest of us, selecting the short, the familiar and the easiest to remember. And holding onto it forever." Yet, most (if not all) of the websites we visit, memberships created, online banking we do, etc. depend on not-so-secure username/password authentication scheme. Why is it still so popular despite all these articles, and news on identity theft? It's just simple to implement and use. Who'd want to deal with carrying a token with them for just checking emails? Or installing certificates on their laptop (meaning that they will have to use their laptop for authentication) to be used in conjunction with PKI systems (and who will manage all those PKIs)? I think it will come down to a balancing act, like everything else in life. We can't just eliminate the usage of passwords, it will be a huge inconvenience. Security should be an enabler, not a roadblock (although it is often seen as a roadblock). While trying to secure mechanisms and systems, we need to find the right balance of usability and security. Perhaps enforcing better authentication mechanisms (2-factor, encrypted transmission, etc.) for more important and critical tasks (e.g. online banking, m&a discussions, etc.) while keeping the highly usable and less secure password-only authentication schemes for somewhat less critical applications (e.g. online forums, etc.)
ADDITION (AUG18): Another blog post here on passwords and OpenID (in)security.
Add a commentNominees for Pwnie Awards 2008 by Selim (23/07/2008)
Pwnie Award 2008 nominees can be found here. The second annual ceremony for the winners will be in August. I personally like the "lamest response" nominees and I believe McAfee would win the first place here with their response to ScanAlert service and HackerSafe certification, where more than 60 sites found vulnerable to XSS attacks (including ScanAlert site itself) :)
Add a commentBaşka bir çalınan laptop ve önemli bilgiler by Selim (26/06/2008)
Bu olay İngiltere'de oluyor. Şu ana kadar olan hadiselerden çok önemli verileri tutan devlet ve asker dahi ders almış değil. Eminim bilgiler disk encryption kullanılmadan saklanıyordu, yani ele geçiren için çok daha kolay ulaşılabilir. Öncelikle kişisel bilgiler neden laptoplarda veya taşınabilir disklerde tutuluyor? Şifrelenip, bir data center'da, hem fiziksel hem sanal güvenlik mekanizmasının işlediği bir ortam bulmak veya yaratmak İngiltere için o kadar zor olmamalı diye düşünüyorum.
Add a commentIncreased attack surface with AJAX and Web2.0 by Selim (03/06/2008)
AJAX is not a new technology but it's a combination of existing methods that is now supported by almost all browsers. It helped pioneers create new businesses specially in the area of social networking and sharing web sites. However, this new approach also increased the (in)security considerations for the web. I suggest you read this article, which puts things into perspective with what's currently going on in the background. On a related note, Ajax Security is a very well written book and I also recommend it to anyone interested in security and developing AJAX applications.
Add a commentRootkits everywhere by Selim (18/05/2008)
Rootkit for routers will be demoed at EuSecWest " Different ways to infect a target IOS will be shown like run-time patching and image binary patching. To discuss the binary patching technique from a practical point of view, a set of Python scripts that provides a the methods to insert a generic rootkit implementation called DIK (Da Ios rootKit) will be introduced and it's done in plain C for IOS. Also other techniques like run-time image infection will be discussed in detail." Considering the fact that Cisco routers are pretty much everywhere, this is a pretty significant development. How do we keep up? Well as suggested by Cisco, we need to follow "industry best practices"... While I agree, I also do think that in addition to proper configuration of devices pre-deployment, we need to monitor the activity through out the network for malicious payloads and traffic. Of course the best way would be adding security from the ground-up, while building the IOS code :) then doing all the recommendations as well
Add a commentAutomated web application scanning leads to false sense of security by Selim (30/04/2008)
Web application assessments must be done manually and I don't think anyone can provide quality services by simply running a tool against a web application (e.g. hacker safe, automated tools, etc.). This is yet another example. Unfortunately, once people pay for such a service, especially with a 'certificate' that dictates the site is safe from hackers, they feel secure without fully understanding benefits/costs of the solution. Don't get me wrong, tools and automated scanning are great and a necessary step to evaluate web applications but (as already proven) they lack the human touch ;-)
Add a commentcompliance and security by Selim (15/04/2008)
I've written before about false sense of security. This article also mentions the irrelevance of regulatory compliance and its requirements to actually being secure. US grocery chain Hannaford warned last month of an information security breach that exposed an estimated 4.2 million credit card records. The Hannaford breach was later blamed on a sophisticated malware attack. The grocery chain had achieved PCI DSS compliance, but the process failed to unearth the flaws that led to the breach. "Just because you are PCI compliant doesn't mean you are secure," Rapkin noted. This is not to say that compliance is useless, it is definitely better than not doing anything and creates the proper awareness; but as anything in information security, passing the compliance test is not the 'silver bullet' either.
Add a commentkedi-fare oyunu by Selim (04/04/2008)
Yeni teknoloji diye web2.0 kullanıyorum ama javascript'in çalışması ve web2.0 evri eskisinden daha geniş bir saldırı alanı yarattığından tehditler çok fazla. Tamam diyorum kendi kendime, en iyisi javascript disable olarak web'i gezeyim. Bir bakıyorum ki DDOS atakları sistemleri yavaşlatmış veya çökertmiş.. web artık eskisi gibi değil! Güvenlik ve sürekliliğe ne oldu diyorum. Herhalde en iyisi fiziksel olarak sahip olduğum özelliklerimin yetki verdiği güvenliktir, yani biometrics. Parmak izim ne de olsa bir tek ben de var... mı acaba? Peki çare nedir? Güçlerimizi, bilgimizi, ve alt yapı olarak sunabildiğimiz çözümlerimizi birleştirerek bu kedi-fare oyununda hep bir adım ileride olmaya çalışmak sanırım...
Add a commentHow secure is your new OS? by Selim (27/03/2008)
MacBook Air with OSX 10.5.2 is hacked. According to a researcher, Windows server 2008 has design flaws. We will also see how Vista and Ubuntu holds up on CanSecWest Hacker Contest 2008.
Add a commentİçini gösteren kamera by Selim (19/03/2008)
Enteresan: silah, uyuşturucu, ve patlayıcı gibi zararlı maddeleri kıyafet altında tespit edebilen bir sistem. Sanırım ilk hava alanlarında kullanılmaya başlanır.
Add a commentCostly insecurity by Selim (19/03/2008)
Data breaches are on the rise. Take a look at this. Most costly (5 out of 10) of them since 2000 occurred in 2007.
Add a commentAttack on Pentagon - "amazing amount" of data stolen by Selim (10/03/2008)
The article "On June 22, 2007, Defense Secretary Robert Gates acknowledged that the Pentagon's network had been successfully attacked the previous Wednesday, and that this attack was responsible for a disruption in email service to some 1,500 Pentagon employees. At the time, Gates downplayed the attack, saying that it affected only the OSD's (Office of the Secretary of Defense) non-classified e-mail service and that there was "no anticipated adverse impact on ongoing operations." It seems that the adverse impact of the June attack may have been much greater than Gates' early guidance implied. According to a top DoD technology official quoted at GovernmentExecutive.com, the thieves behind that attack seized an "amazing amount" of data." What amazes me the most is the following statement from the article: "By the time it was detected, malicious code had been in the system for at least two months, and was propagating via a known Windows exploit." Are you kiddin' me?!?!? Not only they didn't have any up-to-date user awareness built in (cause emails with malicious payload has been going around), they also lacked the basics of security monitoring. I wonder how they pass security audits, specially for log monitoring and security incident response. Well, after all, we're humans and we make mistakes but you don't expect such a huge mistake/gap in processes of the US government where sensitive data is at risk.
Add a commentMobile insecurities - malware by Selim (29/02/2008)
So you think since you're using mobile/hand held devices, you're not vulnerable to known attacks? Well, think again, attackers seem to have increased their attack surface to mobile devices (well it's been the case actually but we didn't have much news/articles/blogs on them). And these are pretty serious attacks too. According to the blog from Avert Labs (McAfee) Windows Mobile users are at risk and should be careful. The interesting thing about the blog is that some of the screenshots are dated back to 2006, yet the blog is posted in 2008. Here's the blog. "A Window Mobile PocketPC trojan that disables Windows Mobile application installation security has been discovered in China. WinCE/InfoJack sends the infected deviceΓÇÖs serial number, operating system and other information to the author of the trojan. It also leaves the infected mobile device vulnerable by allowing silent installation of malware. The trojan modifies the infected deviceΓÇÖs security setting to allow unsigned applications to be installed without a warning. The trojan was packed inside a number of legitimate installation files and distributed widely. It has been distributed with Google Maps, applications for stock trading, and a collection of games."
Add a commentCold Boot Attack Demo by Selim (26/02/2008)
Information can be found here. And pictures and demos are here. Interesting finding, kudos to the researchers for sure.
Add a commentCracking gmail's captcha by Selim (26/02/2008)
"Spammers, fresh from the success of cracking the Windows Live captcha used by Hotmail, have broken the equivalent system at Gmail." - here Here's the original blog. Interestingly this is not really trivial and the success rate is about 20% while using 2 bots. In any case, since this can be automated, it is dangerous. Beware of emais from gmail. This is going to be tough on anti-spam vendors and services since gmail.com should not (usually) be blacklisted. But I guess individual emails (100s or even 1000s of them) can be blacklisted in time; and anti-spam filters will have to come up with more advanced filters (more content recognition).
Add a commentDenial of Service to Pakistan by Selim (26/02/2008)
Who did this DOS? Well it's Pakistan creating a DOS to itself when trying to block access to youtube. Here's the story.
Add a commentAttacking/cracking GSM communications by Selim (21/02/2008)
Low-Cost Attack on GSM Encryption Demoed "At the Black Hat show, a pair of security researchers show a way to use cheap, off-the-shelf hardware to receive and decipher encypted GSM signals." Apparently they were able to do this with equipment worth around $1000. According to the article, this was still possible in theory and required equipment would cost around $1 million. It is a considerable improvement in cost savings to crack GSM communication. " According to Hulton and Miller, an attacker with access to six 350GB hard drives (2TB) and one FPGA [field-programmable gate arrays] can easily recover the key of a GSM conversation (voice or sms/text) in less than 30 minutes." Now this is scary. For a few thousand $ one can decipher and sniff GSM traffic which definitely includes private and confidential data. For example, some online banking systems send in pins for authentication via SMS. Imagine what will be built upon this in the near future; sniffers, mitm tools, etc.
Add a commentGoolag Scanner by Selim (21/02/2008)
Check this out by cDc. Finding vulnerable sites and automating google hacking... It's becoming a lot easier nowadays to hack. Specially add nessus and metasploit (latest version with GUI) for windows to the equation and all you have to do is click, click, and done.
Add a commentYakalanan ünlü hacker paylaşılamıyor... by Selim (21/02/2008)
Haber burada "Antalya'da yakalanan dünyanın en ünlü 'hacker'larından Maksym Yastremsky paylaşılamıyor" Uluslararası gerçekleşen olayların sonuca bağlanması ve yargının nerede nasıl yapılacağı halen büyük bir sorun. "ABD'nin hacker'in iadesi için Adalet Bakanı düzeyinde girişimde bulunması, "CIA ya da FBI Hacker'ı üstün yeteneklerinden dolayı kullanmak mı istiyor?" şüphesine yol açtı." Bence çok saçma bir yorum. Adam zaten çalıp çırpmış, yaklaşık 80 bin kredi kartı numarasını elinde tutan ve bunun pazarlığını (satış) yapan birini zarar görmüş ülkeler tabiki yakalamak isterler. ABD online kredi kartı bilgilerinin en çok işlendiği ve tutulduğu ülke olarak sanırım hacker'ın en çok zarar verdiği ülke konumundadır. Sonuç olarak sistemleri 'hack' yapmak teknik olarak zor bir konu değil. Maksym Yastremsky'nin elindeki bilgiler ve ulaşabileceği diğer hacker ortamlarının bilgileri önem kazanıyor. Sadece kendi yaptığı değil, aynı zamanda sattığı gruplar/kişiler ve yöntemleri de ABD veya Ukrayna için devlet seviyesinde önemli bilgiler olduğunu düşünüyorum.
Add a commentHow safe is PDF by Selim (14/02/2008)
Interesting article on safety considerations of PDF format and Adobe in specific with the latest exploits and vulnerabilities.
Add a commentAre you really safe when you encrypt your stored data? by Selim (12/02/2008)
Interesting argument on the use of encryption for stored data. Key management has always been the major drawback of using encryption and now some experts say that it can be used to deploy a new type of DOS attacks .. here "It's a new class of DoS attack," agreed Moulds. "If you can go in and revoke a key and then demand a ransom, it's a fantastic way of attacking a business."
Add a commentInsider attack at Societe Generale by Selim (11/02/2008)
This happened at Societe Generale. "Societe Generale acknowledged last week that Jerome Kerviel, a 31-year-old trader, racked up a mountain of fraudulent trades that wound up costing the bank more than $7 billion. Kerviel allegedly used stolen passwords and other means to conceal his illegal activity." So who do you trust? Process, technology, and (other, non-criminal) people in the organization. As also mentioned in the article, not performing periodic reviews and not reviewing logs for not-so-normal activity made it more difficult to detect and prevent this incident.
Add a comment5 yaşında çocuk (kapalı olması gereken) bankaya girdi by Selim (11/02/2008)
Orijinal hikaye burada. Babası ATM'den (İngiltere'deki HSBC) para çekerken 5 yaşındaki çocuk elini kolunu sallayarak kapalı olması gereken bankaya girdi. Kapıyı açık, alarmı da kapalı unutmuşlar :) İçeride hiçbir görevli yok, alarm yok, bilgisayarlar kullanıma müsait.. şaka gibi ama gerçek Prosedürlerin yerine getirilmesinin ve çalışanların eğitiminin önemini vurgulayan bir olay... Sistem kurulurkan ve tasarlanırken 'fail-open' modeli yerine daha güvenli alternatifler düşünülebilirmiş sanırım.
Add a commentFalse sense of security by Selim (29/01/2008)
This is a great example of false sense of security: Geeks.com site is hacked (lost credit card info) despite having "Hacker Safe" scans daily. Well, it's just plain simple that automated scans are just not and have never been sufficient to provide a good security assessment for a web application. I'm not saying they're useless; in fact, automated web app assessment is a great starting point; but it's just a starting point. With so many customized features and functionality, web applications must always go through a complete assessment which includes (starts with) automated scans, but must be accompanied by good manual pen testing on the application by a human that understands the business logic as well as the technical details. In any case, going back to my original point: false sense of security. It is very common to assume security instead of actually validating it. Just because we have a security guard walking around the building doesn't necessarily mean that the guard is actually paying attention to what's going on. Same thing happened to geeks.com in this case. Having a daily scan which claims that your site is safe from hackers, doesn't really mean that you're invincible. The sad thing is the certification provided and the notion of being totally secure, because you're "certified". I think the best security in this particular case would've been coding and testing the product with security in mind before launching it. I guess with daily scans, the development team felt that they don't need to pay any attention to security (input validation at its simplest) since they were assuming to be safe from hackers. I've also seen examples of this at various client locations. A security consultant comes in or a very expensive security product is purchased, then everybody relaxes because now they feel secure. On the other hand, the product is misconfigured (e.g. any to any on a firewall) and the consultant is just hanging around with a lot of talking regarding security but no action. Hence, another case of business and IT feeling secure without being secure.
Add a comment2500 banka kartı ve 3,5 milyon YTL by Selim (11/01/2008)
7 kişi burada anlatılana göre yakalanmış. 2500 tane kredi kartı ve toplamda 3,5milyon YTL civarında işlem yapılmış. Acaba hangi bankalar vardı işin içinde ve bilgiler hangi yöntemlerle çalındı.. bilen var mı? Farkettiyseniz "İnternet güvenliği konusunda dikkatsiz kullanıcıların, hesap bilgilerine ulaşarak..." ile bankalara değil son kullanıcıya hata biçilmiş.
Add a commentunencrypted wi-fi from the security guru by Selim (10/01/2008)
commentary on wired.. open wi-fi for all.. I don't know.. I think he has good points specially in (false) perception of risk; but for me, since enabling wpa is not such a burden, it's just another layer when at home.. not only for my pc but for the family as well
Add a commentOtomobil kapısını Internet'ten kilitlemek... by Selim (10/01/2008)
Hürriyet'te gördüm bu haberi... Acaba tasarımında ve uygulamasında sistemin güvenliği konusunda ne kadar ar-ge yapılmıştır... hayata geçtiği zaman ortaya çıkacak sorunları merak ediyorum doğrusu. Sistemin çok fazla değişik giriş noktası var gibi gözüküyor, yeni bir boeing hikayesi olmasın ;)
Add a commentsysadmin fails to wipe out data, goes to jail by Selim (10/01/2008)
I can't even believe that this is real but it is; very funny and scary at the same time. The sysadmin puts a logic bomb in anticipation of his lay-off. Later he figures that he was still employed and undoes the bomb.. but he's so bad that the logic bomb, which was ironically set to go off on his birthday, runs anyways (he fails to disable it) and doesn't run well due to a bug (doh!). Then he figures that he'll run it anyways after fixing the script and gets caught by a coleague.. Threats are very likely and a lot more dangerous coming from within. Proper technology (controls for AAA - authentication, authorizaion, accountability), process (regular audits, change management, etc.), and people (education and awareness) must be in place to minimize such risks...
Add a comment(no) security on board with boeing by Selim (05/01/2008)
Interesting news... we'll probably end up checking-in our laptops and electronic devices along with the luggages from now on.. I wonder the project plan and milestones when they were designing the network for this plane.. securiy: check
Add a commentmust secure barcode by Selim (02/01/2008)
I remember very clearly when we didn't have barcode on any item at grocery shops (which were much smaller back then), just a sticker with the price on them. We relied on what the store owner put up there for the price and didn't confuse/mix items with price tags. Now we have to think and act carefully in a different way when relying on accuracy provided by these bar codes. Check this article for example, it proves a good point that confidentiality, integrity, and availability of data, whether it is a high-volume e-commerce website or a simple barcode reader at the check-out counter, must still be considered when designing systems. Confidentiality must be provided so that only proper readers can read what's there in the bar code. With integrity in place, we'd know that no one has changed anything on the code itself since it was put on the item. The readers should also be available when needed and won't choke on us in case something funny happens when reading the code (an overflow?? or spilled juice?). It is very easy to create 1D barcodes with tools such as GNU Barcode project or even by installing a certain font type (just search for 'free barcode font') to your MS Word would do it. How and where you use it is up to one's imagination...
Add a commentStory on Gmail's security failure by Selim (26/12/2007)
Long time no post, it's been very busy lately. Very interesting and scary story. My recommendation is being proactive and constantly checking/monitoring configurations and activities in used software (email, web, local app, etc.).
Add a comment20f1aeb7819d7858684c898d1e98c1bb by Selim (21/11/2007)
Enteresan. Alınacak ders basit: daha kuvvetli şifre yaratmak ve salt ile beraber hash (veya encrypt) yapmak olacaktır. Hacker'ın hatası sözlüklerde bulunan bir kelimenin (Anthony) salt yapılmamış halini kullanması...
Add a commenthack of the year? by Selim (14/11/2007)
I think tor is a great tool for anonimity but how does using it becomes "the hack"? Of course, different people have different views...
Add a commentIs it possible to be ahead of the threats? by Selim (29/10/2007)
Will it ever be possible to be ahead of the attackers and threats? Probably not ... and that's why I keep telling about the importance of "people" and "process" when fighting information security attacks and protecting data. Technology alone can't do it.
Add a commentGüvenlikte dış kaynak kullanımı - çift ağızlı bıçak mı? by Selim (15/10/2007)
Şirketlerin dış kaynak kullanmasının kesin bir gereklilik olduğunu düşünen biriyim. Özellikle bilgi güvenliği gibi ileri derecede ekspertiz/know-how isteyen, alt yapı ile ilgili bir konuda dış kaynak kullanımı kaçınılmaz olmalı. Ancak yapılan işin kimler tarafından yapıldığı, uygulanan prosedürler, ve müşterinin iş süreçlerine uyumluluğu çok önem kazanıyor. Danışmanlık hizmeti verdiğim şirketlerde bunun negatif örnekleri ile bir çok kez karşılaştım. Yeterli bilgisi/tecrübesi olmayan ama 'danışman' olarak şirketlerin bilgi güvenliğini sağladığını iddia edenler oldukça fazla. Özellikle Türk şirketlerinde bu sadece güvenlikle (network güvenliği ile sınırılı olarak) ilgili ürünleri bilmek ve tecrübe edinmiş olmakla sınırlı kalıyor. Örneğin önceden Check Point kullanmış biri firewall, network, ve güvenlik konusunda birden bire uzman konumuna geçebiliyor. Bir süreç olan güvenlik konusu bu tür yaklaşımlarla kurumlara yanlış bir güvenlik hissi vererek bir bütün olarak şirket bilgilerini daha da tehlikeli bir konuma taşıyor. Halbuki önemli olan şirketin iş yapabilmesini sağlayan bilgileri korumak ve aynı zamanda işlerin daha akıcı olmasını sağlamaktır. Şirket iş süreçleri, kullanılan teknolojiler, ve hizmeti veren insanlarla bir bütün olarak düşünülmesi gereken bir konudur bilgi güvenliği. Bu işe odaklanmış ve işini bilen insanlar/şirketler etkili hizmet verebilir diye düşünüyorum. Toparlamak gerekirse, alınan hizmetin kalitesi yüksek değilse, güvenlik hizmetleri yarardan çok zarar getirecektir bence...
Add a commentSpending on security by Selim (11/10/2007)
I liked this blog. It is to the point and points out the current issues in security. Purchasing products won't really do any good if we don't have the process and people to protect ourselves.
Add a commentFirewall var, IDS/IPS var, Antivirus var... o zaman korkacak bir şey yok by Selim (01/10/2007)
Güvenlik konusunda alınan ürünler biraz olsa dahi içimizi rahat tutar, bir şeyleri başarma ve en yeni, en iyi ürünlere sahip olma hissi güzeldir. Aynı zamanda, 'şirkete bir firewall aldık ve artık güvendeyiz' gibi düşünce tarzları veya alınan daha detaylı/pahalı ürünlerle tamamen güvenli bir ortamda olduğunu hissedenlerin sayısı da az değildir. Ürünler ve sunulan teknik çözümler tabiki gerekli ve yararlıdır ancak bir altyapı olarak gördüğüm bilgi güvenliği konusu sadece teknolojinin sunduğu çözümlerle sağlanamaz. İnsanlar iş yaptıkları sürece açıklar her zaman olacaktır. Atak yapan grupların/kişilerin amacı teknik donanım ve ekipmanı aşmak değil, şirketlerin veya bireylerin verilerine ulaşıp kendi amaçları doğrultusunda kullanmak ve yararlanmaktır. Bu sebepten dolayı, her geçen gün teknolojik gelişmelerle ördüğümüz katmanlı güvenlik duvarımıza (firewall, IDS/IPS, Antivirus, anti spyware, proxies, web filtering, spam filtering, vb.) gelen saldırılar daha çok insanların zayıf noktalarına yönelik oluyor. Buna kanıt olarak da son zamanlarda oldukça hızlı bir şekilde artan phishing saldırılarını gösterebiliriz. Peki çözüm nedir? Çözüm bilgi güvenliği konusunda bilinçlenmek ve kendimizi güncel tutmak olmalı diye düşünüyorum. Bunu şirket içi veya bireysel olarak alınacak eğitimlerle sağlayabiliriz. Bu eğitimlerin düzenli bir şekilde güncellenmesi ve çalışanların da aktif olarak yer alması gerekir ki etkili olsun. Bilgi güvenliği aynı yapılan işler gibi bir süreç olduğu için uygulanması ve etkili olması da bu sürece uygun yapılandırmalarla mümkündür.
Add a commentDo you trust your employees? by Selim (24/09/2007)
According to Gartner, 70% of all security incidents come from insiders. Here's another example of why we should take measures to provide confidentiality, integrity, availability, and accountability for business information from all different entry points. Perimeter security is not sufficient alone, it just provides a false sense of security.
Add a commentScary but true, organized cyber-crime is on the rise by Selim (17/09/2007)
Security has become a serious business on both sides now. Similar to what we have in physical world (mafia vs. police, etc.), we have organized cyber-criminals who employ quality software engineers for writing malicious toolkits and malware vs. organizations with considerable amount of investment into security products, processes, and expertise. As usual, bad guys are one-step ahead in the game and we start to see an increase in the losses due to malware and criminal activity in cyber space. So how do we fight back? I suggest investing in security research, creating processes that aligns with technology and business needs, and reading a bit of Sun Tzu since this is a war after all...
Add a commentHow fast can you patch a server? by Selim (14/09/2007)
Once you know of a vulnerability and a possible work-around, is it possible to update and protect the critical servers right away? Probably not, because you have to test and verify the patches with other applications on the hosts, follow (hopefully) some procedure so that you don't break anything (change management, patch management procedures, etc.). However, since this article clearly shows that attackers are ahead of the good guys, we need more than patches and patch management for proper protection. Perhaps IPS devices and HIPS solutions specially would be the right approach for zero-day protection even for newly discovered vulnerabilities. Not all HIPS products provide protection for zero-day vulnerabilities since they mostly act upon signatures and exploit filters, so be careful when choosing your solution.
Add a commentInternetteki ilk 10 suç listesi by Selim (11/09/2007)
Bir liste tabiki yeterli olmayacaktır ancak genel terminoloji için bir örnek diye düşünülebilir...
Add a commentImportance of keeping the systems up-to-date by Selim (03/09/2007)
It is not always possible to keep all the servers up-to-date with proper patches etc. Nowadays, IT staff seems to be overwhelmed with the work load and on-going projects; hence, it is easy to miss a server or two... However, it costs big time! See this article for example, where the actual exploit is from a well-known vulnerability (Microsoft Security Bulletin MS06-042) with a well-known exploit. Even a script-kiddie could've done this by copy/pasting the information from metasploit or any other exploit providing source. I wonder whether the bank had any IPS device in place. I guess a proper solution for such attacks would be deploying a good quality host-based IPS to protect the servers from not-being-patching and specially known attacks.
Add a commentEtkili bakışlar by Selim (30/08/2007)
Stanford Üniversitesi öğrencileri tarafından yayınlanan bu araştırmada sadece göz hareketleri ile şifre girmek mümkün. Enteresan bir araştırma ve 'shoulder surfing' diye bilinen, başkalarının şifrelerini girerken görmek ve incelemek gibi aktivitelere karşı iyi bir önlem olabilir.
Add a commentBilgi güvenliği iş süreçlerinde odaklanmayı sağlıyor by Selim (20/08/2007)
Bilgi güvenliğinin değeri gerçekten nedir? 'Bana bir şey olmaz' düşüncesinin bir parça da kültürümüze yansıdığı güzel Türkiye'mizde ne kadar geçerli bir çabadır bilgilerimizi olası saldırılara karşı korumak? İşte bu sorular, güvenlik konusunda yeterince bilinçlenmemiş olmamızdan kaynaklanıyor ve işimizi biraz zorlaştırıyor doğruyu söylemek gerekirse :) Güvenlik sonuçta elle tutulamayan ve getirisi anında olmayan bir unsur. Güvenlik konusundaki mevcut anlayışı sanki 'zarardan kar etmek' diye de tanımlayabiliriz. Ancak benim bakış açım bunun biraz ötesinde. Güvenli bir ortamda sağlanan verimlilik sadece zarardan kar etmek degil, daha da fazla katma degeri olan işleri odaklanmış bir şekilde yapmaktır. Odaklanmak gerçekten önemli bir unsur. Herkes her konuda bilgili olamaz ve zaten olmamalı. Güvenlik konusu da altyapı ile ilgili bir konu olduğundan, işin uzmanlarına bırakılmalı ve şirketler/bireyler kendi uzmanlık alanları olan işlere odaklanıp değer artırmalılar diye düşünüyorum. Bu yaklaşım tabiki dış kaynak kullanımına yönelik ancak alt yapı zaten dış kaynak olarak kullanılan bir unsur; örneğin kendi elektiriğimizi kendimiz yapmıyoruz veya Internet bağlantımızı bir ISP tarafından alıyoruz. Aynı düşünce tarzı bilgi güvenliği için de geçerli olmalıdır ki kattığı değer daha rahat olarak ortaya çıksın. Özellikle kurumsallaşma çabasının genel olarak yaygınlaştığı bu dönemde, yapılan işlerin verimli ve etkili olmaları çok daha önem kazanıyor. Boş yere harcanan zaman ve efor havaya giden paradır, bu sebepten dolayı şirketler alt yapı/temel ihtiyaçlarını (Internet, telefon, fiziksel güvenlik, catoring, sigorta, vb.) dış kaynak olarak alıyorlar. Bilgi güvenliği de, yüksek derecede uzmanlık isteyen bir iş olarak bu temel ihtiyaçların arasında yer alıyor. Böylece şirketler gerçekten ne iş yapıyorlarsa ona odaklanıp kendilerine iş yapma ve gelişme imkanı sunuyorlar.
Add a commentA new era on encryption technologies... by Selim (16/08/2007)
Encryption has always been effective when the effort spent on breaking it (e.g. brute force) costs more than the data protected. Hence, with improvements in computer power and new super computers etc., we use bigger key lengths in order to safeguard our data. For example, DES, an encryption algorithm used heavily in 80s and 90s, is known to be breakable with brute force in a reasonable amount of time with today's computers. Imagine how much influence quantum computing will have in our usage of today's encryption algorithms, where key lengths won't even matter much. And as expected, good guys are also working on counter-measures :)
Add a commentBilgi güvenliğinde bireylerin rolü by Selim (09/08/2007)
Bilgi güvenliği genelde teknolojik bir sorun olarak görünür. Kullanıcıların anlayışı, sistemlerine gelen virüs, worm, spyware, rootkit gibi zaralı malware yazılımları ile sınırlı kalıyor. Ancak güvenlik bilgi teknolojilerinin ötesinde bir sorun esasında ve güvenli bir ortam yaratmanın karşısında duran en büyük etken kullanıcıların kendisidir. Kurumsal ortamlarda bilgi güvenliğinin bir iş süreci sorunu olmasının da sebeplerinden biri çalışanların kullanım alışkanlıklarıdır. Örneğin, ABDdeki maliye (IRS) güvenlik konusunda en hassas olan kurumlardan biri olması gerekirken, yapılan bir deneme sonucunda insanların sosyal mühendislik (social engineering) ataklarına yüksek bir oranda maruz kaldıkları görülüyor. Sanırım bu pek de uzak bir senaryo olmasa gerek, hele hele Türkiye gibi toplu yaşama ve sosyal dayanışmaya çok yatkın olan halkımızın iyi niyetinden dolayı gizlisi saklısı bulunmamakta. Ben dahi, uzun zamandır Türkiye'de olmadığım halde ATM makinalarında 2-3 defa başkalarının şifrelerini öğrenip onlara yardım ettiğimi hatırlarım. Sonuç olarak kime nasıl güvenebilirizi ve bulunduğumuz ortamı iyi sorgulamak gerekiyor. Belki bir ATM makinasında etrafta 10'larca kişi varken şifremizi geçici olarak paylaşmak pek zaralı olmayabilir (kartı da çaldırmadığımız sürece :) ... eve gidip telefonda şifre değişikliği yapılabilir). Ancak bunu yıllık cirosu 10'larca milyon dolar olan bir şirkette, muhasebe departmanında çalışan bir arkadaş yetkilerini ele verecek bir biçimde paylaşırsa, bu bir çok kişiyi (şirket dahil) olumsuz etkileyebilecek bir olaya dönüşebilir. Peki ne yapabiliriz? Kurumsal ortamlarda gerekli bilinçlendirme eğitimleri verilmesi gerekir. Bu eğitimler hem genel olarak çalışanları bilinçlendirir hem de şirketin güvenlik politikalarının şekillenmesini ve bunun duyurulmasını sağlar. Bireysel olarak ise bilinçlendirme çabaları bu tür web log'lara ve biraz da sosyal dernekler ve de devletimize düşer sanırım.
Add a commentIntrusion Prevention by Selim (06/08/2007)
Intrusion prevention has become a broad concept where a few years back, it was mostly related to signature matching. Initial off-springs of this idea was network based IPS. A company purchases a network device, perhaps an inline device that passes the traffic to/from protected networks while examining the payload for malicious signatures and behavior. However, as networks become more complex, a network based solution is not sufficient anymore. You have various employees with laptops and God knows where those laptops have been (hotels, hot spots, Internet cafes, etc.). It is very likely that a not-so-security-conscious employee may be infected with malware while on the road. When that employee comes back to the office and plugs back into the network, then you have an internal threat to your "protected" resources. To address this need host based solutions evolved. The most common downside of host based intrusion prevention systems (HIPS) is that they bring some load on to the servers/hosts and may also pose incompatibility issues. Note that, such load an incompatibility issues arise when the HIPS solution interferes with the way applications and executables are working, a network level solution is much less intrusive (unnoticed). As a general guideline, Gartner provides 9 styles of host based intrusion prevention where it is agreed that a best-of-breed intrusion prevention technology is the one that addresses white listing (allow known good), black listing (block known bad), and analyzing the unknown. There definitely are quality products that address such need. Note that information security solutions can not only be focused on the "right" products; it has to involve people and processes along with these products. After all, security is a business and people issue, not a technology issue.
Add a commentFinding vulnerabilities by Selim (29/07/2007)
Finding vulnerabilities in code has become a serious business over the past 5 years. See this article for example. It shows that there still are some good guys out there trying to do things ethically, while charging a bit for their efforts of course :). Now think about what is not published, meaning that the underground world of finding vulnerabilities in code and selling it for the greatest bidder for whatever purpose they have in mind. This is an inevitable evolution of the information systems and technologies. Since technology has become a reflection of our lives, what happens in so-called "real-world" also happens on the NET. So how do we stop this? I don't think we can "stop" this but we can certainly take some counter-measures by building communities and educating others/society to fight such organized (cyber) crime. Security is an on going and never ending process where humans play a big role in it. It is more than just purchasing the right products or putting up a firewall on your PC or network. It has to involve people, and definitely good, ethical people, so that we have some leverage against the malicious usage of found vulnerabilities and security issues.
Add a commentBiometrics ve kimlik doğrulama by Selim (24/07/2007)
Acaba ülkemizde bir gün okullar biometrics teknolojileri kullanacak mı? Bu konuda İngiltere'de sunulan resmi öneriler dahi mevcut. Ancak bu gördüğümüz önerilerin kimlik denetim güvenliği açısından pek etkili olduğunu düşünmüyorum. Okul yönetimi ve ebeveynler için kolaylık sağlayacağı kesin ve de teknolojinin ilerlemesiyle, yani biometrics'te gördüğümüz false-positive'lerin azalması ve daha kullanılabilir bir hale gelmesiyle, günlük hayatımızın bir parçası olması doğal. Authentication konusunda esas olarak 3 değişik yaklaşım söz konusu: bildiğimiz bir şey (şifre), sahip olduğumuz bir şey (smart card), ve kişiye özel bir şey (fiziksel olarak, parmak izi, vb.). Güçlü bir kimlik doğrulaması için bu özelliklerden 2'sini kullanmak en doğrusu olur. Şu an piyasada gördüğümüz çözümlerin çoğu, biometrics teknolojisinin tam olgunlaşmamasından dolayı, ilk 2 yöntemi kullanıyor (token + password, smart card + password, ...). Biometrics teknolojisinin büyüyeceği bir kesin çünkü uzun vadede bu token ve smart card'ların güncel tutulması, yönetimsel olarak getirdiği masraf hem kullanıcılara hem de şirketlere yük oluyor. Biometrics ile vadedilen yönetimsel masrafların ve harcanan insan gücünün daha aza indirgenmesidir. Bakalım Türkiye olarak bu konuda nasıl bir ilerleme göstereceğiz.
Add a commentROSI - Return On Security Investment by Selim (19/07/2007)
What is the value in information security? This has become a tough question to answer in terms of quantitative figures. This blog describes the irrational need for ROSI figures. For some, every business decision has to be based on what it returns (ROI); however, with information security, the real value-add is what's preserved.
Add a commentTruva atı (Trojan Horse) by Selim (17/07/2007)
Bir tek Türkler truva atlarına izin vermiyor.
Add a commentilk virüs by Selim (16/07/2007)
Doğal olarak ilk virüs bu mu değil mi diye tartışmalar var. İlk virüs daha önce veya sonra ortaya çıkmış olsa bile, tarihte 20-25 sene gibi bir zaman geriye gittiğimizde güvenlikle ilgili değişen pek birşey yok bence. Teknoloji ve saldırıların tarzı değişti ancak bunların hepsi alınan önlemlerle göreceli biçimde oluyor. Yani, o zamanlar basit önlemler alındığı ve sistemlerin ve üzerindeki uygulamaların basitliğinden dolayı, kötü niyetli kişiler daha basit ve kolay yöntemlerle saldırılarını gerçekleştiriyorlardı. Günümüzde, sistemlerin ve uygulamaların yaptıkları işler dolayısıyla, karmaşık bir yapıda olan sistemlere saldırılar da en az o kadar karmaşık ve sunulan önlemleri aşabilecek şekilde karşımıza çıkıyor. Sonuçta teknoloji olarak alınan önlemler ve ürünler bize sadece belli bir seviyeye kadar güvence sağlayabiliyor.
Add a commentGo by Selim (16/07/2007)
I decided to start this blog for providing input back to the community. Information security is such a topic that involvement of formal education and technical knowledge is as important as experience in the field and business acumen. What I'd like to do with this blog is to point out examples from my experiences in conjunction with my knowledge and expertise. Even though information security is seen as a part of IT, it is more of an art then pure technology related services and solutions. Well, in any case, here I join the world of blogs
Add a comment